SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Fortinet and IDC: The five stages of IT security
Wed, 25th Nov 2015
FYI, this story is more than a year old

You are not alone. When it comes to your network's security, your journey from zero to hero follows a predictable, well-developed pattern that is surprisingly standard across most organisations.

That is the opinion of IDC as set out in their ‘IT Security MaturityScape' position paper and endorsed by Fortinet, a global leader in high-performance cybersecurity solutions.

Five stages of IT security

Ad hoc, opportunistic, repeatable, managed and optimised. These are the five stages of network security.

“As you develop your network,” says Andrew Khan, Fortinet Senior Business Manager at Ingram Micro, New Zealand's largest distributor of Fortinet's network security solutions, “your security profile evolves as well. The first stages are typically historical. When your organisation installed their first server and modem years ago, network security wasn't even an issue. Maybe you installed some anti-virus. Maybe you had guidelines about staff installing third-party executables. This is the ad hoc stage. Your network was vulnerable but it wasn't a major concern.

Fast forward a few years and spam, viruses and hackers started to have an impact. “Remember Anna Kournakova and the ‘I Love You' phishing scams?” asks Khan. “All of a sudden network security received more attention. A memo came down from the boss that asked ‘what are you doing about it? You now had a budget, upper-level support and a mandate. So you developed a policy, upgraded to a firewall and talked to more vendors. This is the opportunistic stage. You're improving, but still vulnerable.

Getting better

Now we're moving quickly. But not as fast as the bad guys. “Security breaches, data loss, blended threats. Once obscure jargon, these terms are now mainstream,” continues Khan. “IT managers are becoming security experts. Or else! You now have a clear understanding of the risks, costs and procedures. Your mission critical applications and data are protected. You have a multi-layered approach. This is the repeatable stage. If the risk is there, you can address it.

But that's still not good enough. “It's not today's threats that are the biggest risks,” he says, “but the ones that will hit you tomorrow. To protect against these, you need a systematic approach with constant review and updates.

"Your disaster recovery plan has been tested and tested again. You have a ‘sandbox' for isolating anomalous behaviour and your security vendor is a key player in your team. Network security is ingrained into every activity and practiced by every employee. This is the managed stage. You should be as safe as practicable.

Security nirvana

You'll never be 100% secure. No organisation can be. Even the NSA gets caught-out. But you can maximise your security profile.

“When cybersecurity is the highest priority in your organisation, when every staff member follows your explicit security policy to the letter, you monitor network activity at the granular level and your board of directors starts talking about DDS, IDS and realistic budgets, congratulations, you have reached stage five: optimisation. You are ready for anything. You proactively update everything every day. You have a full-time, highly-trained team. And you keep your organisation out of the headlines. This is where your organisation should be.

“Most enterprises fall into the ‘repeatable' and ‘managed' stages,” concludes Khan. The ‘ad hoc' businesses went bust and the ‘opportunistic' ones are skating on thin ice. A few are moving into the ‘optimised' stage. But by and large, most companies have reliable security procedures and solutions in place and are prepared for most attacks. And that is good enough in most cases. But one hack, intruder or data breach can have grave financial implications. So it's up to you. Is ‘good enough' cyber security good enough? Is the risk worth it? That's a judgement call and one that you have to think through very carefully.

“If you want to minimise your risk and optimise your security profile, the resources are there. But you need the motivation, the upper-level support and a coordinated, full-time approach. Anything less is risky business.

For further information, please contact:

Hugo Hutchinson, Business Development Manager at Ingram Micro P: 09-414-0261 | M: 021-245-8276